Attackers experimenting with CVE-2017-0199 in recent phishing attacks

Researchers at Trend Micro and Cisco's Talos have identified a new wave of phishing attacks leveraging CVE-2017-0199, a previously patched remote code execution vulnerability in the OLE (Windows Object Linking and Embedding) interface of Microsoft Office.

These latest attacks have paired the vulnerability with others in an attempt to bypass warning messages, but the results were less than stellar.

Talos

In a blog post, Talos researchers said the attacks they've observed used CVE-2017-0199 with an older exploit – CVE-2012-0158 – in an attempt to bypass warning messages displayed by Microsoft Word. However, they believe the attacks were a test-run of sorts, because the attackers made several mistakes that limited its overall effectiveness.

"Analysis of the payload highlights the potential for the Ole2Link exploit to launch other document types, and also demonstrates a lack of rigorous testing procedures by at least one threat actor. Attackers are obviously trying to find a way around known warning mechanisms alerting users about potential security issues with opened documents," the Talos post explained.

The attacks start via email with an attached malicious RTF document. Due to the vulnerability in the process that handles OLE2Link code, the RTF document will trigger a remote download via Word, eventually resulting in malware on the system.

But the attackers failed to test their code, as the two vulnerabilities they attempted to chain together didn't work. The warning prompts within Word were still displayed as expected. But why attempt to use two vulnerabilities at all? If the system was vulnerable to CVE-2012-0158, that would make things simpler for the attacker.

"An assumption we can make is that that the attackers used the combination to avoid Word displaying the prompt which may raise suspicions for the target end user. Another possibility is that they attempted to use this combination in order to avoid behavioral detection systems which may be triggering on the combination of Ole2Link in a word document and a download of an HTA file," the post says.

The same day that Talos published its findings, researchers at Trend Micro did the same. Only, in their case, the attackers were using PPSX attachments, or PowerPoint Slideshow – proving the Talos observation that attackers would eventually start testing additional Office formats.

The PPSX discovered by Trend researchers leveraged CVE-2017-0199. However, the email itself appeared to target companies involved in electronics manufacturing. The researchers who investigated the message believe that the 'From' field was spoofed to mimic a legitimate email from a known business partner, but the findings aren't conclusive.

When the victim opens the PPSX file, instead of the promised business documents, the screen will display a page with nothing other than 'CVE-2017-8570' written on it, which is an entirely different Microsoft Office vulnerability. This random display led Trend researchers to speculate that this is a leftover mistake from the toolkit developer, one the attackers never bothered to address.

In the background, once the file is opened, the code runs via the PowerPoint Show animations feature. A second file is downloaded, which is actually an XML file with JavaScript that runs PowerShell commands to download an execute a RAT.

"Ultimately, the use of a new method of attack is a practical consideration; since most detection methods for CVE-2017-0199 focuses on the RTF method of attack, the use of a new vector—PPSX files—allows attackers to evade antivirus detection," the Trend blog explains.

Users who patched their systems with April's updates would be protected from these recent attacks. However, users would be cautious when opening files or following links, even if they come from a source that looks legitimate on the surface.

Latest Videos

Hear from Invictus Games Sydney 2019 CEO, Patrick Kidd OBE and Head of Technology, @James-d-smith -share their insights on how they partnered with Unisys to protect critical data over an open, public WiFi solution.

With so much change all the time, how can executives best prepare their businesses to meet the security challenges of the coming years? CSO Australia, in conjunction with Mimecast, explored this question in an interactive Webinar that looks at how the threat landscape has evolved – and what we can expect in 2019 and beyond.

According to new research conducted by the Ponemon Institute, Australia and New Zealand have the highest levels of data breaches out of the nine countries investigated. This was linked to heavy investment in security detection and an under-investment in security and vulnerability response capabilities

Copyright 2019 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.